According to a study by the Ponemon Institute, 39 percent of data breaches in 2010 involved third-party service providers such as outsourcers, contractors, consultants and business partners. As many companies have learned, data breaches are expensive, both in terms of actual costs as well as potential legal liability and negative publicity. An important data breach prevention measure is to have in place effective safeguards to protect personal information and to require your company’s vendors to do the same. In addition to being sound risk mitigation, it may be required by law.
The Massachusetts Office of Consumer Affairs and Business Regulation established what have become known as the Massachusetts data security regulations with the aim of addressing privacy breach risks posed by vendor relationships, among other things. The regulations, which went into effect March 1, 2010, require any company, regardless of location, size or industry, that possesses the personal information of a Massachusetts resident to adopt and implement a comprehensive written information security program (WISP). A WISP must address the technical, physical and administrative safeguards for the protection of personal information.
Vendor contracts and amendments should contain several key provisions, including representations, warranties and covenants providing the following: